Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT on Local side

    Scheduled Pinned Locked Moved NAT
    14 Posts 2 Posters 697 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      meluvalli
      last edited by

      Hello. I am hoping someone can assist me.

      I am trying to forward everything that tries to go outside my network on port 80 to a Windows Proxy server.

      This is the rule I have setup:
      NAT/Port Forward
      Interface: LAN
      Protocol: TCP
      Source Address: ![My Proxy Server IP] (I don't want it to use this rule if the request is coming from the proxy)
      Dest. Address: ![LAN Address] (I want to be able to access pfSense GUI still)
      Dest. Ports: 80 (HTTP)
      NAT IP: [My Proxy Server IP]
      NAT Port: 808 (This is the address my Proxy listens on)

      However, it doesn't work at all. I tried even changing the IP to a different machine to see if I can no longer get out at all on port 80 from my client, but I still can. It's like the rule is being ignored. Am I doing this correctly?

      Thank you!

      Aaron

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Did you clear states before you ran your test again? Existing states aren't affected by rule changes.

        1 Reply Last reply Reply Quote 0
        • M
          meluvalli
          last edited by

          Just tried that and still no change. The rule is just ignored.

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by KOM

            It sounds like you're doing it right. Here is a guide for how to redirect DNS to pfSense. Different ports & protocols, but the basics still apply.

            https://docs.netgate.com/pfsense/en/latest/dns/redirecting-all-dns-requests-to-pfsense.html

            Test it with a packet capture running and see what's going in and going out of pfSense LAN interface.

            M 1 Reply Last reply Reply Quote 0
            • M
              meluvalli @KOM
              last edited by

              :( Ok. Well, That's actually the guide I based it off to set it up originally. I even have Nat Reflection Disabled on it like the guide says.

              I will try and look packet capturing, but I'm not sure that will do much because it'll just say my client is going out to the address of the webpage I'm accessing.

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                If you don't know what's going on then a packet capture is the only way to find out, otherwise you're just guessing and scratching your head.

                Post a screen shot of your LAN rules page.

                1 Reply Last reply Reply Quote 0
                • M
                  meluvalli
                  last edited by

                  Here is the packets.

                  09:30:27.714780 IP 10.40.162.203.53896 > 37.1.220.74.80: tcp 0
                  09:30:27.869182 IP 37.1.220.74.80 > 10.40.162.203.53896: tcp 0
                  09:30:27.869606 IP 10.40.162.203.53896 > 37.1.220.74.80: tcp 0
                  09:30:27.869895 IP 10.40.162.203.53896 > 37.1.220.74.80: tcp 434
                  09:30:28.031529 IP 37.1.220.74.80 > 10.40.162.203.53896: tcp 0
                  09:30:28.039424 IP 37.1.220.74.80 > 10.40.162.203.53896: tcp 1460
                  09:30:28.040341 IP 37.1.220.74.80 > 10.40.162.203.53896: tcp 1460

                  1 Reply Last reply Reply Quote 0
                  • M
                    meluvalli
                    last edited by meluvalli

                    LAN.png

                    1 Reply Last reply Reply Quote 0
                    • KOMK
                      KOM
                      last edited by

                      Change your Source port from 80 to * in your NAT rule. Source ports are random and dynamically assigned.

                      1 Reply Last reply Reply Quote 0
                      • M
                        meluvalli
                        last edited by meluvalli

                        Made a little progress with that change... But still no go. Now I can't get out at all on port 80. Even if I go to a command prompt and try and telnet, it's like the port isn't open...

                        I tried: telnet www.google.com 80

                        Packets captured:
                        10:19:42.355820 IP 10.40.162.203.53984 > 172.217.7.228.80: tcp 0
                        10:19:42.355925 IP 10.40.162.203.53984 > 10.40.162.94.808: tcp 0
                        10:19:45.368340 IP 10.40.162.203.53984 > 172.217.7.228.80: tcp 0
                        10:19:45.368417 IP 10.40.162.203.53984 > 10.40.162.94.808: tcp 0
                        10:19:46.899623 ARP, Request who-has 10.40.162.1 (00:15:5d:a2:5a:07) tell 10.40.162.203, length 46
                        10:19:46.899654 ARP, Reply 10.40.162.1 is-at 00:15:5d:a2:5a:07, length 28
                        10:19:51.368321 IP 10.40.162.203.53984 > 172.217.7.228.80: tcp 0
                        10:19:51.368371 IP 10.40.162.203.53984 > 10.40.162.94.808: tcp 0

                        I also confirmed, I can telnet into 10.40.162.94 808. This works. So, I know it's something with the route still.

                        Also, FYI, I verified I can telnet www.google.com 80 from my Proxy machine. That works, so I know the proxy can still get out :)

                        1 Reply Last reply Reply Quote 0
                        • KOMK
                          KOM
                          last edited by

                          The redirect is working according to your capture. Did you change the Source from * back to !10.40.162.94?

                          M 1 Reply Last reply Reply Quote 0
                          • M
                            meluvalli @KOM
                            last edited by

                            Yes. I never changed the Source IP. Only the Source port. Source port is now *. Source IP is still !10.40.162.94

                            1 Reply Last reply Reply Quote 0
                            • KOMK
                              KOM
                              last edited by

                              I don't know what your other system is doing, but the NAT is working as expected. Time to look at it from the proxy's perspective.

                              1 Reply Last reply Reply Quote 0
                              • M
                                meluvalli
                                last edited by

                                Ok. I will play more with it! I really appreciate your help!

                                I'm confused because if I manually set my proxy on my machine to 10.40.162.94, it works. So I know the proxy is functional.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.